Re: This is quite interesting

Yes, I for one know what happened, and it was not in any way your fault.

As to the second - you are right of course, it just swung that way

Re: This is quite interesting

It happens, and can happen in any forum. I wouldn't sweat it.

+1 - It would not be very difficult to trick someone who believes they are invulnerable. They let their guard down making them much easier targets.

A classic mistake is to give up personal information no matter how insignificant. For example lets say someone posted an IP address and said "attack me". An IP address typically gives up someones location unless it is masked by a proxy or simply a fake.

If you have an internet handle from for example a forum, that can lead to a real name. A real name plus an internet handle can lead to an email address. This can for example lead to information about a former employer.

A real name + the location from the posted IP can lead to a physical address, and a telephone phone number. This can lead to property records, spousal information, etc. You see where this can go, all from an IP posted in a forum. Not very smart.

Now you have the persons name, address, phone number, internet service provider, information about their former employer and quite possibly a lot of other information, it would be trivial to make up a story to get the user (or the users spouse) to download and execute something on the computer which exposed the computer in some way to attack.

In this example lets use a uuencoded binary payload that contains a private key, an ssh daemon and a reverse tunnel. Lets execute it as the user on a high port so the user will not notice that its there. Maybe instead we can inject a script that sleeps for a while, waking up now and then and copying any new data found in $HOME to the attackers home base. Lets randomize it to mask its pattern.

What if the attacker turned on the camera on your laptop and watched you? There was a guy in the news that just got busted doing this very thing. My point ultimately is that the platform doesn't really matter, and no one platform ultimately protects better than any other.

Signing them would have mitigated it alone, however the MD5 could have been swapped out pretty easily if it was hosted on the same server. This doesn't however eliminate an author gone rogue. If one of the authors of this IRC daemon for example decided to place bad code in the source it may well go unnoticed when another author signs the package.

Note, I am in no way saying that these authors are malicious, I simply am using them as an example.

This. It is often easier for someone that does not "get it" to make accusations rather than to accept the facts presented.

Back on topic though, how 'bout those posts?

Re: This is quite interesting

Pretty abstract stuff. lol However, I certainly agree that running mystery executables is a possible way to get your computer compromised. It is also generally avoided by anyone who cares one way or the other. I imagine the fashion hounds with the laptops and built in cameras and stuff could be vulnerable, but I would be careful about generalizing on that issue.

Regarding personal information, I'm not sure if the distribution of the basics is preventable. I personally am very sensitive about it, but still everybody knows me and where I live. The person and the place are one and the same. That is traditional and goes back thousands of years. Note all the "von" and "van" and "de la" names. To me a life of anonymity would be deeply embarrassing. I would be ashamed of myself if I couldn't look someone in the eye, shake their hand, and tell them my name. Despite that philosophy, if you get within 20 maybe even 100 miles of my place people will know the house. I can't avoid that. Perhaps I am different in some way, but note that I am not hiding under any assumed names here and am willing to say what I mean as the person I am.

Those of us who use the internet will also find our phone numbers and addresses plastered all over the place by ICANN. Perhaps it's their idea of a joke, but it's reality. The phone book works in a similar way for people who use phones. As for where I have worked, CBC, Cultural Alliance, etc etc etc, that's all a matter of public record. Where I draw the line is at birth date and mother's maiden name - although those are not really that hard to find if you want. What I'm trying to say is that someone who is worried about their name and address being part of their public profile is probably in need of a lifestyle change - if not a body guard. I personally consider that very unhealthy and will actively campaign against it. Don't get me wrong though, despite being strongly against it, I make a point of helping people who are lost and will always be here if they need me for support.

As for IP, well that's a funny one. My public IP is within 300 miles of here, but what is someone going to do with that?

Regarding this thread. It certainly has turned into a security discussion, and yes, it might be a good idea to start that elsewhere. Telengard's original idea is a good one and should probably be started elsewhere too. It's hard to address it at this point.

Re: This is quite interesting

I don't know about where you live, but photographs of my own house, driveway, and street are currently indexed in Google's database. Anyone who types the name of my city and street into Google maps can easily see pictures of my front lawn.

Re: This is quite interesting

Yes Google maps is cool. In this area they don't give us much detail, but you can still zoom in to the level where my workshop and cottage show up. Unfortunately you can't see who's parked outside, or if I'm on the roof. Anyway, that's an historical building in a town which has been almost a ghost town. It is the old general store and was built in 1912 when the town started. Have a look if you like - Google 1841 Front street Coalmont BC. That's all just lots of fun, and I really enjoy looking at the satellite view of where I grew up in Denmark - you can see the cars in that area - tracing the route I walked to school etc, is way cool. However, I'm all for putting some brakes on this because at some point this is going to be a problem. A little more detail and frequent updates and someone from out of the area is going to be able to tell if you're home or not. Of course some people advertise that on the net too, (GPS, twitter, etc) but I think that is going too far, security wise. Still, now you all know where I live, I hope some of you will drop in for coffee some time.

Re: This is quite interesting

I do wish I could feel free to disclose so much about myself. In my experience though, the more strangers know about me the more excuses they find to hate and persecute me.

Even for people who are acculturated differently though, there are too many crooks and deviants to take such risks. It is my belief that the only way to protect your personal freedom is by protecting your anonymity. Well, unless you can afford a team of lawyers to keep you out of trouble anyway.

Re: This is quite interesting

Could it be that the person who posted his IP address was really telling you that IF you believe Linux to be just as insecure as Windows then that IP address is your chance to put your skill where your mouth is. IOW, prove it!

BTW, an IP address isn't sacred nor is it secret. If you own a website your IP is easily obtained, directly through one of the five Whois-servers, or. if you use a proxy, indirectly with the appropriate sleuthing tools by packet analysis.

So, you know his handle. You know his IP. On various websites he's mentioned his real name, which can be easily googled to learn he lives in Lincoln, NE, and what his address is, he's mentioned where he used to work before he retired, he's also mentioned his computer consulting business, his criminal forensics business, that he taught science and math for 10 years in high school and 8 years in college. his pilot's license, he is a dead shot with firearms, and his political persuasions. His phone number was in a phone book and now its on the Internet where anyone can look it up. He's 6' 6" and 245 lbs, has eye problems, genetic foot problems, is allergic to Aspartame, partially bald, and loves dark chocolates. He's been married for 48 years to the same wonderful gal and has two children and three grandchildren. His auto license plate is "BUG JULY".

So what? That info isn't going to get his into his computer or his bank account in any way shape or form, any more than reading all this stuff in the newspapers will. All of it is or was in the newspapers at one time or another, in one city or another. He did business all over the mid-West.

It's not even valuable for "social engineering".

I don't have to hack anyone's computer to read mine or my neighbors property value, how much his house has sold for, what he bought it for, how much he owes on it and what his back taxes are, or if he's in probate or sheriff's sale. I can log onto my state's public property information server and get it free. Ditto for the car tags, car title, traffic violations, criminal record, etc. All freely accessible. But, NONE of that info gets you into my computer, or shows you my bank account routing numbers, account numbers, or my SSN. In short, nothing you can use to create a financial document masquerading as me.

In fact, even if you were able to break into my computer, which I doubt you can do, none of that financial information is on it.

Do you think I am running windows? "Let's execute it as the user ..."? !


It wasn't quite like that. A kid was spied on via his laptop web camera by his school because he was using SCHOOL SUPPLIED laptops. The school had set up spy software on the laptop and had the passwords for remote activation in order to spy on the kids. It wasn't like some cracker hacked into the laptop without the kid's knowledge. It's not cracking or hacking when you own the machine and the passwords!


Funny you should mention 'does not "get it"'. It's all about bringing "Windows thinking" to the Linux paradigm. That's what Rick Moen said about folk who "don't get" the Linux security model:

The occasional mis-administration by some Linux project or staff member or developer has NEVER lead to the mass infection of tens or hundreds of thousands or millions of Linux boxes. The Linux security paradigm doesn't allow it. Rick goes on to explain the how and why, and mentions a TON of malware which are no threat to Linux. His article covers all of Linux, from the beginning up to March of this year:

I think something could be learned from point IV:

Notice how folks who believe that Linux is as vulnerable as Windows gloss over the main problem: getting INTO a Linux system in the first place. Getting in is ASSUMED: "Lets execute it as the user..." or "Maybe instead we can inject a script...". You assume what you are trying to prove by having the executable already saved as a file, most often in root, and ready to run.

Re: This is quite interesting

Agreed, it is fascinating.

This is amusing, especially that some appear to have contemplated the possibility that it was real

http://news.bbc.co.uk/1/hi/scotland/...d/10401345.stm

I recommend everyone takes a quick look at the car on the front of their drive. Whilst the number plate is blurred out, move the viewer to the side so you are looking at it from an angle. Does the number mysteriously appear? Mine does, and I'm not entirely sure what to do about it.

On general matters, the notion of privacy is an illusion. I happen to think that my online activities are probably the only opportunity I have to be to any degree whatsoever anonymous. Given the nature of my job, someone need only have my name and google it to find out where I work. Then on the UK Governments website they can find out more information about me. To top it all, because I am a company director, my name.address and date of birth is listed at UK Companies House. Because it's publicly registered, that information is then published in the online telephone directory (but minus phone number because I asked to be ex-directory).

Also, don't forget all the data the government has about you. If your government is anything like mine, there's a pretty good chance sensitive information about you will have been on a laptop or an unencrypted USB left on a train/bus/plane etc etc etc.

Re: This is quite interesting

So you're from the UK eh? I can probably find all your particulars on a govt CD left on the bus or one of their many lost laptops then.

Re: This is quite interesting

Yep, and while you are at it you could probably find out my unique taxpayer number and pay my tax bill!

Re: This is quite interesting

Now there are a couple of very interesting comments. I agree that much privacy is an illusion. I find it easy to dig up all kinds of information on the net and places like phone books. The only reason I sometimes do this kind of thing is out of interest in finding people that I have known in the past. If I was really serious, I'm sure my success rate would be much higher. I personally like people to find me. I like people and I like old friends. I actually want people to find me. In fact I wasn't kidding about inviting you all for coffee. I'd be even more interested in someone from 50 years ago dropping by or e-mailing me. That's why I put my e-mail address on the net. And, by the way, since it fits with this discussion, I have several e-mail addresses in plain view on the net and I've had two pieces of spam in the last year.

As for the second statement. That's even more interesting. You know, I believe you. Not using your real name actually gives you a fighting chance. People would actually have to work at digging up some info on you. I hadn't thought that someone would actually want real anonymity but there are probably a few legitimate reasons for it. I had though about it more like people were either shy or rude if they didn't use their real names on the net. Certainly many people cannot handle the anonymity well.

PS: How big is your tax bill? I'll see what I can do.

Re: This is quite interesting

Actually I do give a clue to what I do in my forum name (it's a financial role rather than a violent one!) but potentially it's a role that can invoke conflict nonetheless, and every assignment I engage in is publicly registered, so I do indeed value my privacy when I can get it.

I remember one incident a few years back when I was engaged on an assignment only to find that one of the main players lived just around the corner from me Thankfully the case did not involve controversy so there was not a problem. However, it really does irk me that even though I opt out of pretty much everything I can be found with relative ease.

Re: This is quite interesting

I have already told you that I have no interest in pen-testing your IP. Your public IP most likely isn't even your desktop but rather a router and the IP you gave is probably not even yours since it terminates in another state all together. I'm sorry, but your bait fails. It is just another example of you lying to prove your case.

Based on the fact that you are quite happy to use deception in your messages, I would have to say that most of the fluff that you posted about yourself probably isn't true either.

You keep believing that.

You don't need root to execute malicious sofware, you only need root to destroy the computer or damage data owned by other users.

Yes it was.

I do get the Linux security model. I am a lot more familiar with it than you realize. I know you can't comprehend this, but Rick seems to be speaking about Linux servers and not Linux use as a desktop. Reading the article it is implied that you have to elevate to root to damage the system or data that is stored by processes that run as different users which is absolutely true on a server but not necessarily true on a desktop. These are completely different use cases. He even mentions very early in his rant that user space malware can damage data that you own.

I think you do a lot of googling and you only half understand the concepts.

No one has glossed over how to get into a Linux system, I gave an example of how it could possibly be done without triggering any remote exploit. I also earlier gave you examples of how it could be done without having execute permission. I have even given multiple examples of 0-day vulnerabilities in Linux. You have chosen to ignore all of it.

All you are doing here is further destroying your credibility. It is not doing you any good to continue to attack me.

Re: This is quite interesting

This may help:

http://maps.google.com/support/bin/a...&answer=162873

Re: This is quite interesting

@GreyGeek
sence you oferd it up hears a Nmap of your IP ........

looks prity tight to me ........but what do I know.......LOL

you gise/gals are geting deep.................but a wild read none the less........thanks for the entertanment and info.

I personaley dont think it's a good idea to keep credet card , bank# ,soshal securety# and the sutch on a box that's on the net but thats me..................

I dont know about what you all see on google maps/earth but when I look at my house the picturs and street view's are severall years old.........so whats the securety risk?

and as for identety theft...............LOL......hear have mine.

Charles V Wright ......AKA vinnywright,VINNY
1808 southview RD
lexington NC 27292

336-596-8333
charles.v.wright@gmail.com

keep in mind if your sucsesfull in pretending to be me you will shortley be swampt in BILLS at (my)new adress and will receve NO credit frome ENEYONE ......trust me on that.

thars no bank acct.'s no savings and no stature for ya.

that sead if eney of ya are in the naborhood come see us.

and have a glass of tee or a beer if your frendley ....or......a round with my pitbull and shotgun if you arnt

VINNY